Deperimeterisation has its critics. There are some who argue that it's a long name for something that is essentially common sense. But its supporters say that companies are moving quickly and that information security perimeters are disappearing fast.
This is a rather over-simplified view and, although deperimeterisation is gathering pace, I would be the last person to advocate the removal of perimeter defences. For me, deperimeterisation is not about removing anything, per se, but about "externalisation" — basically making internal applications and networks securely available to outside agencies.
All businesses today rely on partners to be successful, whether this is as part of a supply chain, outsourcing or a deeper component of a company's core services. This trend has increased rapidly over the past few years and has taken on truly global proportions, which in turn has resulted in businesses having to punch holes in their perimeter defences to allow access to their systems. These holes have introduced potential vulnerability points, which have made security professionals very nervous. So, how can we introduce a security architecture that protects the business at the same time as increasing flexibility for partners and end users alike?
A good analogy is a ship. Maintaining the integrity of the vessel is paramount to avoiding sinking. The hull is vital, but the individual compartments — engine room, living quarters and hold, for example — must also be watertight, and they all need their own, individual access policies. There may, for instance, be a policy in place which dictates that, when you are given access to the engine room, the door is always closed behind you. This is a different approach to enforcing security. It places less emphasis on the perimeter and more on process and people. Access to the different compartments of the ship is down to process and ensuring that people (in this case the crew) comply with it.
The next step to making systems interact with the outside world securely is to have an identity management solution that can be used to identify the user, their access device and where they are, so that, at any given point, you know who has been granted access to each segment. Returning to the ship analogy, a firm that has been given the contract to clean the ship must adhere to the access criteria and policies. Partners have to guarantee that they are compliant, which requires a certain level of trust. The fact is that very few businesses today have federated partners up and running.
The final step towards this idea of externalisation is web-enabling applications as part of a strategy towards a service-oriented architecture paradigm. The result is that new partners can be plugged into the business and be up and running quickly.
In short, network security must not be a business disabler, but a business enabler. Deperimeterisation or externalisation inevitably will become more widely adopted, as will the use of technologies such as biometrics, as part of an identity and access-management system. A recent pilot scheme, using biometrics to identify airport passengers at Heathrow Airport's Terminal 3, has shown just how well this technology can work.
Called miSense, the pilot scheme was designed to improve passenger experience and improve security in the face of organised crime and threats from terrorism. Over 4,000 participants were enrolled on the scheme, and survey results have shown that "the experience" received strong approval from over 70 percent of them, with over 80 percent confirming the ease of the enrolment process. In addition, 70 percent pointed to faster travel times, while another 18 percent backed the better levels of security that it brought.
From the airport's point of view, the pilot demonstrated that biometrics can increase profitability by helping to maximise use of scarce space, while ensuring efficient passenger throughput. Passengers saw it as a benefit because it allowed them to undergo more stringent security checks much more quickly than usual.
In this case, biometrics proved to be the right tool for the job, and was the cornerstone of the identity management solution. Identity management also applies to businesses adopting a strategy towards externalisation.
The miSense pilot was designed with the citizen in mind and highlighted very clearly how security is not a disabler but, in fact, can support business goals.